If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

N. Dakota Judge rules that "host -l" command constitutes hacking

Thought you guys would find this interesting to read.

A North Dakota judge issued a ruling in Sierra Corporate Design v. Ritz that has some pretty stunning implications about the use of the "host -l" command when accessing DNS records. In the judgment (which was prepared by the plaintiff's counsel and sent to the judge), the use of the "host -l" command is tantamount to computer hijacking and hacking.

For the uninitiated, when using the "host -l" command on a DNS server, the user will receive a list (hence the "l") of all information pertaining to the domain's zone file, assuming it has not been protected. The same way WHOIS returns information on the owner of a domain, "host -l" returns information about hosts on that domain.

And although this was a civil matter, this ruling could (and we stress could, no need getting ahead of ourselves) lead to "unauthorized" "host-l" usage to be deemed a criminal act, per North Dakota's computer crime statute.

Before even discussing the merits (or lack thereof) of the case in question, this judgment just strikes us as uninformed, bizarre and wrong. The "host -l" command when accessing DNS records does not reveal any information that is not set for public display. The plaintiff's contention in this case was that the information obtained by "host -l," non-routable IP addresses, host names and domain registrations was not meant to be publicly accessible. Because the defendant was able to procure this information and published it in various USENET groups, the plaintiff claims that the act was a violation of the computer crime statute.

Here's the problem: "host -l" will only show information that the administrator has allowed to be public. Just because it is a DNS command that many computer users are unaware of does not mean that leaving information that one wishes to remain undisclosed is safe.
Some background on the case:

Jerry Reynolds and his company Sierra Corporate Design has been a target of anti-spam crusaders, who were able to unearth proof that servers under his operation were responsible for (at the time) the majority of spam on the Internet. Reynolds response has been to sue his accusers for defamation (those lawsuits have been dropped due to lack of jurisdiction control of the defendant).

In 2005, he filed a lawsuit against David Ritz, an anti-spam crusader, alleging that by publishing Reynold's server information, Reynolds business was compromised. Today's judgment awarded Reynolds (via his company) the full amount of actual damages (nearly $3000) and an additional $50,000.00 in exemplary damages.

Again, even without discussing the merits of the actual lawsuit in the first place, ruling that using a command to access public information constitutes "hacking" if the command is unauthorized is completely and utterly wrong.

While we can understand that it would be upsetting for information you think is private to be made public, ultimately it is the administrators responsibility to make sure that the information released under host lookup is information they want to be open to the public.

A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.